Preview

Proceedings of the Institute for System Programming of the RAS (Proceedings of ISP RAS)

Advanced search

An Implementation of Capability-based Security for the General-purpose Microkernel

https://doi.org/10.15514/ISPRAS-2026-38(3)-44

Abstract

Capability-based security is a flexible access control mechanism. It is widely adopted by both mainstream operating systems and research microkernels for operating system kernel object access control. Implementation details vary significantly because kernels prioritize different trade-offs. A considerable amount of implementation details is poorly documented, only being available as a part of a source code. Moreover, different developers use non-standard divergent terminology. The paper describes implementation details of capability-based security in several kernels, highlights their specifics and discusses how they affect potential system security and performance. The paper also presents a capability-based security model implemented in an experimental general-purpose microkernel Sol. The implementation is designed to deliver high scalability on modern multicore microprocessors while preserving the security features found in other state-of-the-art implementations. The key element of the design is a capabilities storage built on top of a user-managed radix tree and reference counting, featuring fast and scalable lock-free operations. It supports partial capabilities, a policy-free capability list structure, access revocation for specific objects as well as multi-threaded operations, all while maintaining a low overhead of two machine words per object and three words per revocable reference. Allowing arbitrary structures within per-thread capability namespaces complicates resource management due to potential reference cycles. To address this issue, we propose two techniques: the first restricts the nesting of radix tree nodes to an acyclic graph, while the second introduces a mechanism to retrieve lost thread references – a feature that also proves useful for emulating the POSIX process ID namespace.

About the Authors

Evgeniy Sergeevich BASKOV
Institute for System Programming of the Russian Academy of Sciences, Moscow Institute of Physics and Technology
Russian Federation

Postgraduate student at ISP RAS, CS MSU master’s graduate. Research interests: operating systems, microkernel architecture, security and performance of operating systems.



Alexey Vladimirovich KHOROSHILOV
Institute for System Programming of the Russian Academy of Sciences, Moscow Institute of Physics and Technology, National Research University, Higher School of Economics, Lomonosov Moscow State University
Russian Federation

Cand. Sci. (Phys.-Math.), Leading Researcher, Director of the Linux Verification Center at ISP RAS, Associate Professor of System Programming Departments at MSU, NRU HSE, and MIPT. Main research interests: design and development methods for critical systems, formal methods of software engineering, verification and validation methods, model-based testing, requirements analysis methods, Linux operating system.



Alexander Konstantinovich PETRENKO
Institute for System Programming of the Russian Academy of Sciences, Moscow Institute of Physics and Technology, National Research University, Higher School of Economics
Russian Federation

Dr. Sci. (Phys.-Math.), Prof., Head of the Software Engineering Department at the Ivannikov Institute for System Programming, Russian Academy of Sciences, Professor of MSU and the Faculty of Computer Science, NRU HSE. Research interests: formal methods of software engineering, operating systems, specification and modeling languages, verification.



References

1. Saltier J. H., Schroeder M. P. Protection of information in computer systems, IEEE CSIT Newsletter, 1975, vol. 3, issue 12, p. 19, DOI: 10.1109/CSIT.1975.6498831.

2. Woodruff J., Watson R. N., Chisnall D., Moore S. W., Anderson J., Davis B., Laurie B., Neumann P. G., Norton R., Roe M. The CHERI capability model: revisiting RISC in an age of risk, SIGARCH Comput. Archit. News, 2014, vol. 42, issue 3, pp. 457–468, DOI: 10.1145/2678373.2665740.

3. capabilities(7) – Linux manual page. Available at: https://man7.org/linux/man-pages/man7/capabilities.7.html, accessed 19.10.2025.

4. unix(7) – Linux manual page. Available at: https://man7.org/linux/man-pages/man7/unix.7.html, accessed 19.10.2025.

5. Watson R., Anderson J., Laurie B., Kennaway K. Capsicum: practical capabilities for UNIX. Available at: https://papers.freebsd.org/2010/rwatson-capsicum.files/rwatson-capsicum-paper.pdf, accessed 19.10.2025.

6. Watson R. N. M., Anderson J., Laurie B., Kennaway K. A taste of Capsicum: practical capabilities for UNIX, Commun. ACM, 2012, vol. 55, issue 3, pp. 97–104, DOI: 10.1145/2093548.2093572.

7. The Mach Project Home Page. Available at: https://www.cs.cmu.edu/afs/cs/project/mach/public/www/mach.html, accessed 06.05.2025.

8. Shapiro J. S., Smith J. M., Farber D. J. EROS: a fast capability system, SIGOPS Oper. Syst. Rev., 1999, vol. 33, issue 5, pp. 170–185, DOI: 10.1145/319344.319163.

9. Learn about Fuchsia: Zircon. Available at: https://fuchsia.dev/fuchsia-src/concepts/kernel, accessed 06.05.2025.

10. Grinten A. van der The Managarm Project. Available at: https://managarm.org/, accessed 19.10.2025.

11. Shapiro J. S., Adams J. W. Coyotos Microkernel Specification. Available at: https://archive.fo/EkWWI, accessed 19.10.2025.

12. The seL4 Microkernel. Available at: https://sel4.systems/, accessed 06.05.2025

13. GENODE – Operating System Framework. Available at: https://genode.org/, accessed 06.05.2025.

14. И.Б. Бурдонов, А.С. Косачев, В.Н. Пономаренко. Операционные системы реального времени. Препринт ИСП РАН № 14, 2006, с. 98.

15. Бурдонов И.Б., Косачев А.С., Петренко А.К., Хорошилов А.В., Чепцов В.Ю. Семейство операционных систем КЛОС. Труды ИСП РАН, том 37, вып. 6, часть 4, 2025 г., стр. 11-26. DOI: 10.15514/ISPRAS–2025–37(6)-47. / Burdonov I.B., Kossatchev A.S., Petrenko A.K., Khoroshilov A.V., Cheptsov V.Yu. CLOS Operating System Family. Trudy ISP RAN/Proc. ISP RAS, vol. 37, issue 6, part 4, 2025., pp. 11-26 (in Russian). DOI: 10.15514/ISPRAS–2025–37(6)-47.

16. <fcntl.h>. Available at: https://pubs.opengroup.org/onlinepubs/9699919799/basedefs/fcntl.h. html, accessed 19.10.2025.

17. Introduction to KeySAFE. Available at: https://web.archive.org/web/20070607185423/http://www.cis.upenn.edu/~KeyKOS/agorics/KeyKos/keysafe/Keysafe.html, accessed 31.10.2025.

18. Learn about Fuchsia: Rights. Available at: https://fuchsia.dev/fuchsia-src/concepts/kernel/rights, accessed 06.05.2025.

19. Feske N. Genode Operating System Framework Foundations. Available at: https://genode.org/documentation/genode-foundations-25-05.pdf, accessed 06.05.2025.

20. Brinkmann M., Matzigkeit G., Hasnaoui G., Baron R. V., Draves R. P., Thompson M. R., Barrera J. S. The GNU Mach Reference Manual. Available at: https://www.cs.cmu.edu/afs/cs/project/mach/public/www/mach.html, accessed 06.05.2025.

21. E. Boebert W. On the inability of an unmodified capability machine to enforce the *-property, Proceedings of the 7th DOD/NBS Computer Security Conference, 1984, pp. 457-468. Available at: http://zesty.ca/capmyths/boebert.html.

22. Miller M. S., Yee K.-P., Shapiro J. Capability Myths Demolished, technical report, 2003. Available at: https://classpages.cselabs.umn.edu/Spring-2019/csci5271/papers/SRL2003-02.pdf, accessed 06.05.2025.

23. Learn about Fuchsia: Zircon Handles. Available at: https://fuchsia.dev/fuchsia-src/concepts/ kernel/handles, accessed 06.05.2025.

24. Shapiro J. S., Weber S. Verifying the EROS Confinement Mechanism, Proceedings of the 2000 IEEE Symposium on Security and Privacy, SP '00. IEEE Computer Society, 2000, p. 166.

25. Shapiro J. S. Dependency Tracking in the EROS Kernel. Available at: https://archive.fo/IOv2j, accessed 19.10.2025.

26. Drepper U. What Every Programmer Should Know About Memory, technical report, 2007. Available at: https://people.freebsd.org/~lstewart/articles/cpumemory.pdf, accessed 06.05.2025.

27. McKenney P. E., Appavoo J., Kleen A., Krieger O., Russell R., Sarma D., Soni M. Read-Copy Update, Ottawa Linux Symposium, 2001. Available at: https://kernel.org/doc/ols/2001/read-copy.pdf, accessed 06.05.2025.

28. Michael M. M. Hazard Pointers: Safe Memory Reclamation for Lock-Free Objects, IEEE Trans. Parallel Distrib. Syst., 2004, vol. 15, issue 6, pp. 491–504, DOI: 10.1109/TPDS.2004.8.

29. gnumach/ipc/ipc_space.h - Github. Available at: https://github.com/flavioc/gnumach/blob/master/ipc/ipc_space.h, accessed 06.05.2025.

30. seL4 Reference Manual Version 13.0.0. Available at: https://sel4.systems/Info/Docs/seL4-manual-latest.pdf, accessed 06.05.2025.

31. Grinten A. van der managarm/managarm: Pragmatic microkernel-based OS with fully asynchronous I/O. Available at: https://github.com/managarm/managarm, accessed 06.05.2025.

32. Bagwell P. Ideal Hash Trees, technical report, 2001. Available at: https://infoscience.epfl.ch/server/api/core/bitstreams/f66a3023-2cd0-4b26-af6e-91a9a6ae7450/content, accessed 06.05.2025.

33. genodelabs/genode: Genode OS Framework. Available at: https://github.com/genodelabs/genode, accessed 06.05.2025.

34. The Open Group Base Specifications Issue 7, 2018 edition. Available at: https://pubs.opengroup.org/onlinepubs/9699919799.2018edition/, accessed 19.10.2025.

35. Walfield N. H., Brinkmann M. A critique of the GNU hurd multi-server operating system, SIGOPS Oper. Syst. Rev., 2007, vol. 41, issue 4, pp. 30–39, DOI: 10.1145/1278901.1278907.

36. Kernel Architecture Overview. Available at: https://developer.apple.com/library/archive/documentation/Darwin/Conceptual/KernelProgramming/Architecture/Architecture.html, accessed 01.12.2023.

37. Loscocco P., Smalley S. Integrating Flexible Support for Security Policies into the Linux Operating System, 2001 USENIX Annual Technical Conference (USENIX ATC 01), USENIX Association, 2001. Available at: https://www.usenix.org/conference/2001-usenix-annual-technical-conference/integrating-flexible-support-security-policies, accessed 07.06.2026.

38. SELinux User's and Administrator's Guide. Available at: https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/index, accessed 19.10.2025.

39. Spencer R., Smalley S., Loscocco P., Hibler M., Andersen D., Lepreau J. The flask security architecture: system support for diverse security policies, Proceedings of the 8th Conference on USENIX Security Symposium, SSYM'99, vol. 8. USENIX Association, 1999, p. 11.

40. Learn about Fuchsia. Available at: https://fuchsia.dev/fuchsia-src/get-started/learn-fuchsia, accessed 06.05.2025.

41. The Little Kernel Embedded Operating System. Available at: https://github.com/littlekernel/lk, accessed 06.05.2025.

42. zircon - fuchsia - Git at Google. Available at: https://fuchsia.googlesource.com/fuchsia/+/master/zircon/, accessed 06.05.2025.

43. Grinten A. van der thor and eir - Managarm Handbook. Available at: https://docs.managarm.org/handbook/sys-arch/thoreir/index.html, accessed 19.10.2025.

44. Elkaduwe D., Derrin P., Elphinstone K. Kernel design for isolation and assurance of physical memory, Proceedings of the 1st Workshop on Isolation and Integration in Embedded Systems, IIES '08. Association for Computing Machinery, 2008, pp. 35–40. DOI: 10.1145/1435458.1435465.

45. Lipton R. J., Snyder L. A Linear Time Algorithm for Deciding Subject Security, J. ACM, 1977, vol. 24, issue 3, pp. 455–464, DOI: 10.1145/322017.322025.

46. Elkaduwe D., Klein G., Elphinstone K. Verified Protection Model of the seL4 Microkernel, Proceedings of the 2nd International Conference on Verified Software: Theories, Tools, Experiments, VSTTE '08. Springer-Verlag, 2008, pp. 99–114. DOI: 10.1007/978-3-540-87873-5_11.

47. Kocher P., Horn J., Fogh A., Genkin D., Gruss D., Haas W., Hamburg M., Lipp M., Mangard S., Prescher T., Schwarz M., Yarom Y. Spectre Attacks: Exploiting Speculative Execution. Available at: https://arxiv.org/abs/1801.01203, accessed 01.12.2023.

48. Lipp M., Schwarz M., Gruss D., Prescher T., Haas W., Fogh A., Horn J., Mangard S., Kocher P., Genkin D., Yarom Y., Hamburg M. Meltdown: Reading Kernel Memory from User Space. Available at: https://arxiv.org/abs/1801.01207, accessed 01.12.2023.

49. Intel 64 and IA-32 Architectures Software Developer's Manual. Available at: https://web.archive.org/web/20240505001054/https://www.intel.com/content/www/us/en/developer/articles/technical/intel-sdm.html, accessed 06.05.2025.

50. Peters S., Danis A., Elphinstone K., Heiser G. For a Microkernel, a Big Lock Is Fine, Proceedings of the 6th Asia-Pacific Workshop on Systems, APSys '15. Association for Computing Machinery, 2015. DOI: 10.1145/2797022.2797042.

51. Chen H., Miao X., Jia N., Wang N., Li Y., Liu N., Liu Y., Wang F., Huang Q., Li K., Yang H., Wang H., Yin J., Peng Y., Xu F. Microkernel goes general: performance and compatibility in the HongMeng production microkernel, Proceedings of the 18th USENIX Conference on Operating Systems Design and Implementation, OSDI'24. USENIX Association, 2024.

52. The RISC-V Instruction Set Manual Volume II: Privileged ISA. Available at: https://docs.riscv. org/reference/isa/_attachments/riscv-privileged.pdf, accessed 06.05.2025.

53. Learn the architecture - aarch64 memory management guide - Size of virtual addresses. Available at: https://developer.arm.com/documentation/101811/0105/Address-spaces/Size-of-virtual-addresses, accessed 06.05.2025.

54. Power ISA™ Version 3.1. Available at: https://files.openpower.foundation/s/bo728kgiWfgMHAr, accessed 06.05.2025.

55. Hierarchical RCU. Available at: https://lwn.net/Articles/305782/, accessed 06.05.2025.

56. McKenney P. E. Memory Barriers: a Hardware View for Software Hackers, technical report, 2010. Available at: http://www.rdrop.com/users/paulmck/scalability/paper/whymb.2010.06.07c.pdf, accessed 06.05.2025.

57. Alpha Architecture Reference Manual. Available at: https://download.majix.org/dec/alpha_arch_ref.pdf, accessed 06.05.2024.

58. Learn about Fuchsia: zx_object_get_child(). Available at: https://fuchsia.dev/reference/syscalls/object_get_child, accessed 06.05.2025.

59. Learn about Fuchsia: zx_object_get_info(). Available at: https://fuchsia.dev/reference/syscalls/object_get_info, accessed 06.05.2025.

60. Programming reference for the win32 API - win32 apps. Available at: https://learn.microsoft.com/en-us/windows/win32/api/, accessed 19.10.2025.

61. Atlidakis V., Andrus J., Geambasu R., Mitropoulos D., Nieh J. POSIX abstractions in modern operating systems: the old, the new, and the missing, Proceedings of the Eleventh European Conference on Computer Systems, EuroSys '16. Association for Computing Machinery, 2016. DOI: 10.1145/2901318.2901350.

62. Kerrisk M. The Linux Programming Interface. No Starch Press, 2010, 1552 p.

63. Drepper U. Futexes Are Tricky. Available at: https://www.akkadia.org/drepper/futex.pdf, accessed 06.05.2025.


Review

For citations:


BASKOV E.S., KHOROSHILOV A.V., PETRENKO A.K. An Implementation of Capability-based Security for the General-purpose Microkernel. Proceedings of the Institute for System Programming of the RAS (Proceedings of ISP RAS). 2026;38(3):7-36. (In Russ.) https://doi.org/10.15514/ISPRAS-2026-38(3)-44



Creative Commons License
This work is licensed under a Creative Commons Attribution 4.0 License.


ISSN 2079-8156 (Print)
ISSN 2220-6426 (Online)